Here there,

We're cannot get using TCP with TLS to connect to our rsyslog server to work (syslog_tls parameter):

  • Using UDP works fine.
  • Log output on the M300:
    loc3 .Debug 2022-04-23T19:24:49Z 235-[ SYSLOG Trying to Open TLS Client conn -> Destination: 192.168.1.15:6514.] 
    loc0 .Warn  2022-04-23T19:24:49Z 235-[ WARNING: SYSLOG_TASK. No active TLS connection available when logging was requested] 
    loc3 .Crit  2022-04-23T19:24:51Z 235-[ CertMgr: CertificateInvalid: HostnameMismatch] 
    loc3 .Debug 2022-04-23T19:24:51Z 235-[ CertMgr: Certificate Serial Number = 01] 
    loc3 .Debug 2022-04-23T19:24:51Z 235-[ CertMgr: Certificate host name = Wenke & Andree's CA"��r] 
    loc3 .Debug 2022-04-23T19:24:51Z 235-[ CertMgr: Certificate check: FALSE] 
  • Connecting with openssl s_client -connect rysum.ostfriesland:6514 is absolutely fine.
  • The rsyslog server's log shows:
    Apr 23 19:11:54 rysum rsyslogd[157630]: SSL_ERROR_SSL Error in 'osslRecordRecv': 'error:00000001:lib(0):func(0):reason(1)(1)' with ret=-1  [v8.2102.0]
    Apr 23 19:11:54 rysum rsyslogd[157630]: OpenSSL Error Stack: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate [v8.2102.0]
    Apr 23 19:11:54 rysum rsyslogd[157630]: netstream session 0x7f1e40007270 from 192.168.1.71 will be closed due to error [v8.2102.0]

  • Pointing the M300 to an SSL test instance openssl s_server -state -msg -debug -status_verbose -security_debug_verbose -HTTP -cert /etc/ssl/certs/rysum.ostfriesland_cert.pem -key /etc/ssl/private/rysum.ostfriesland_key.pem gives following (consistent with the rsynclog log entries):
    SSL3 alert read:fatal:bad certificate
    SSL_accept:error in error
    139688820229440:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42

Looking at the log entry on the M300, it appears that the certificate content parser may have a problem. The Certificate host name is rysum.ostfriesland whereas what is shown is the name o the CA plus some non-printable characters. This looks like a firmware bug. (We're on the latest version IPDECT/05.30/B0002/25-May-2021 14:26.)

Furthermore, there does not appear to be any documentation on how to set this up and specifically on how to set up a client certificate for the M300 in accordance with Supported Authentication Modes of rsyslog.

If you could kindly advise, that would be most appreciated!

Thank you kindly and best regards,

Andree